New custom security posture controls and threat detections in Security Command Center
Security Command Center Premium, Google Cloud’s built-in security and risk management solution, provides out-of-the-box security controls for cloud posture management and threat detection. As our customers build more complex environments with different risk profiles, cloud security teams may need to monitor for specific conditions and threats not covered by Security Command Center’s default findings and detections.
To help tailor detection and monitoring capabilities, Security Command Center now allows organizations to design their own customized security controls and threat detectors for their Google Cloud environment. For example, a security operator may need to detect if a key used to access a service account has not been rotated in the past 30 days, violating the organization’s security practices. Data security managers can detect if a CloudSQL database has been provisioned without enabling a backup, which could be required to recover from a possible ransomware attack.
Custom Modules for a more secure cloud posture
New Custom Modules extend Security Command Center’s out-of-the-box posture management by allowing security managers to scan resources and policies using custom logic to identify vulnerabilities, misconfigurations, and compliance violations. The definition of a module determines the resources that will be scanned and the information to be returned.
To help security teams respond to an issue, a custom module can include the detection’s severity, details explaining what was discovered, instructions on how to fix it, and other customer-specific information needed for further security analysis.
Defining a custom module is straightforward. Go to Security Health Analytics and select Create Module. Then give your custom detector a name and choose the type of asset you want to monitor from the list of supported resources.
Modules are defined using YAML and Common Expression Language (CEL) expressions. When using the Google Cloud console to create custom modules, most of the coding is generated automatically. This lessens the need for specialized skills.
Once the module is tested to confirm that it works as expected, it will start scanning your Google Cloud environment and produce findings. Just like Security Command Center’s built-in posture management capabilities, custom modules operate in near real-time.
Custom detections to make Google Cloud safer
Security Command Center provides detection for common cloud threats, such as data exfiltration, anomalous IAM activity, brute force attacks, malicious script execution, and more. Customers can now add customized threat detections using their own detection parameters, remediation guidance, and severity designations.
For example, if a security team learns of a new command and control domain in use by an adversary, they can now add that domain to the list of domains monitored by Security Command Center. For organizations who subscribe to lists or participate in information sharing, indicators can be uploaded in bulk, along with annotations and details.
To make implementation simple, Security Command Center also includes JSON templates that can be modified with organization-specific parameters. All custom detections run in real-time mode, alongside our built-in detectors for unified security operations.
Security Command Center can help Google Cloud customers tailor their cloud posture security controls and cloud threat detection to meet specific requirements.